Comment on PR #5283
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Description: This workflow is triggered when the "Check" workflow completes. | |
| # Since this pull request has write permissions on the target repo, we should **NOT** execute any untrusted code. | |
| # https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ | |
| # Based on https://github.com/spring-projects/spring-security/pull/15477/files | |
| name: Comment on PR | |
| on: | |
| workflow_run: | |
| workflows: ["Tests", "On PR opened"] | |
| # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#running-a-workflow-based-on-the-conclusion-of-another-workflow | |
| types: [completed] | |
| workflow_dispatch: | |
| inputs: | |
| pr_number: | |
| description: 'PR number' | |
| required: true | |
| workflow_run_id: | |
| description: 'Workflow run id' | |
| required: true | |
| jobs: | |
| comment: | |
| if: ${{ github.repository == 'JabRef/jabref' }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: write | |
| pull-requests: write | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Download PR number | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: pr_number | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| run-id: ${{ github.event.workflow_run.id }} | |
| - name: Read pr_number.txt | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| id: read-pr_number | |
| run: | | |
| PR_NUMBER=$(cat pr_number.txt) | |
| echo "Read PR number $PR_NUMBER" | |
| echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT | |
| - name: Checkout | |
| # required for gh tool and .github/ghprcomment.yml | |
| uses: actions/checkout@v4 | |
| with: | |
| show-progress: 'false' | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Is PR from forked? | |
| if: ${{ github.event_name != 'workflow_dispatch' && steps.read-pr_number.outputs.pr_number != '' }} | |
| id: isCrossRepository | |
| run: | | |
| isCrossRepository=$(gh pr view $pr_number --json isCrossRepository --jq '.isCrossRepository') | |
| echo "Got isCrossRepository $isCrossRepository" | |
| echo isCrossRepository=$isCrossRepository >> $GITHUB_OUTPUT | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| pr_number: ${{ steps.read-pr_number.outputs.pr_number }} | |
| # Set a common variable for PR number and workflow_run_id from either event. | |
| - name: Set variables | |
| if: ${{ github.event_name == 'workflow_dispatch' || (steps.read-pr_number.outputs.pr_number != '' && steps.isCrossRepository.outputs.isCrossRepository == 'true') }} | |
| id: set-vars | |
| run: | | |
| if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then | |
| echo "pr_number=${{ github.event.inputs.pr_number }}" >> $GITHUB_OUTPUT | |
| echo "workflow_run_id=${{ github.event.inputs.workflow_run_id }}" >> $GITHUB_OUTPUT | |
| else | |
| echo "pr_number=${{ steps.read-pr_number.outputs.pr_number }}" >> $GITHUB_OUTPUT | |
| echo "workflow_run_id=${{ github.event.workflow_run.id }}" >> $GITHUB_OUTPUT | |
| fi | |
| # This step runs in both cases using the proper variables. | |
| - name: ghprcomment@main | |
| if: ${{ github.event_name == 'workflow_dispatch' || (steps.read-pr_number.outputs.pr_number != '' && steps.isCrossRepository.outputs.isCrossRepository == 'true') }} | |
| uses: jbangdev/[email protected] | |
| with: | |
| script: https://github.com/koppor/ghprcomment/blob/main/ghprcomment.java | |
| scriptargs: "-r JabRef/jabref -p ${{ steps.set-vars.outputs.pr_number }} -w ${{ steps.set-vars.outputs.workflow_run_id }}" | |
| trust: https://github.com/koppor/ghprcomment/ | |
| env: | |
| GITHUB_OAUTH: ${{ secrets.GH_TOKEN_JABREF_MACHINE_PR_APPROVE }} |